Difference between revisions of "Device Nodes"

From The iPhone Wiki
Jump to: navigation, search
m (gps)
(link to /dev)
 
(14 intermediate revisions by 6 users not shown)
Line 2: Line 2:
 
These nodes can be read from or written to by the OS or applications.
 
These nodes can be read from or written to by the OS or applications.
   
  +
See also [[/dev]].
  +
  +
==Overview==
 
A iPhone 3G 2.0.2 contains:
 
A iPhone 3G 2.0.2 contains:
   
Line 75: Line 78:
 
crw-rw-rw- 1 root wheel 3, 3 Aug 28 15:35 zero
 
crw-rw-rw- 1 root wheel 3, 3 Aug 28 15:35 zero
   
  +
==Block Devices==
 
=Block Devices=
 
 
{| border="1" cellpadding="20" cellspacing="0"
 
{| border="1" cellpadding="20" cellspacing="0"
 
|disk0
 
|disk0
Line 86: Line 88:
 
| disk0s2
 
| disk0s2
 
| User space. Stores Music, Photos, Videos, Podcasts, Ringtones and Apps. Mounted as /private/var.
 
| User space. Stores Music, Photos, Videos, Podcasts, Ringtones and Apps. Mounted as /private/var.
  +
|-
  +
| disk1
  +
| Unless you previously mounted something on purpose, this is going to be the DeveloperDiskImage from XCode, which is uploaded to your device and mounted every time you plug in with XCode running. It is signature checked against /System/Library/Lockdown/iPhoneDebug.pem.
 
|-
 
|-
 
| vn0
 
| vn0
Line 95: Line 100:
 
|}
 
|}
   
=Interesting Character Devices=
+
==Interesting Character Devices==
 
{|border="1" cellpadding="20" cellspacing="0"
 
{|border="1" cellpadding="20" cellspacing="0"
  +
|Dev Node
|rdisk0
 
  +
|Description
| Ramdisk, encrypted?
 
  +
|Children
 
|-
 
|-
  +
| rdisk0
|rdisk0s1
 
  +
| RAW Disk; to access the Flash
| Why is the ramdisk in 2 partitions?
 
  +
| rdisk0s1 (root) rdisk0s2 (data)
 
|-
 
|-
|dlci.spi-baseband.9
+
| dlci.spi-baseband
  +
| iPhone Baseband Radio
|GPS (extracted string from /usr/libexec/locationd)
 
  +
| dlci.spi-baseband.0 - dlci.spi-baseband.15
 
|-
 
|-
  +
| tty.iap
|rdisk0s2
 
  +
| serial connection (pins 12 and 13 of the Dock connector)
 
|-
 
|-
  +
| uart.umts
|mux.spi-baseband
 
  +
| Serial connection to the Utms radio (?)
 
|-
 
|-
  +
| dlci.spi-baseband.9
|uart.umts
 
  +
| GPS device (read from by /usr/libexec/locationd82 for CoreLocation services)
  +
|-
  +
| mem
  +
| Raw access to RAM (has been blocked since 1.1.2) Memory devices can be re-enabled with single WORD change within kernel.
  +
| kmem, Raw access to Kernel Memory (also blocked since 1.1.2)
  +
|-
  +
| aes_0
  +
| Access to AES engine. Works via complicated ioctl handshake. Not known why it exists, as use of the IOKit interface is much simpler.
 
|-
 
|-
|cu.umts
 
 
|}
 
|}
  +
  +
===How to access /dev/mem and /dev/kmem===
  +
All you need to do is patch the kernel. See [http://code.google.com/p/chronicdev/wiki/GetBackMemAndKmem here] for up to date patches according to the firmware revision that you are on. Basically, the last one patches the setup_kmem flag itself, and the others just patch the checks to it.

Latest revision as of 13:30, 21 June 2011

The underlying unix OS that powers the iPhone has a number of device nodes. These nodes can be read from or written to by the OS or applications.

See also /dev.

Overview

A iPhone 3G 2.0.2 contains:

crw-rw-rw-  1 root wheel    21,  0 Aug 28 15:35 aes_0
crw-------  1 root wheel    23,  0 Aug 28 18:56 bpf0
crw-------  1 root wheel    23,  1 Aug 28 18:56 bpf1
crw-------  1 root wheel    23,  2 Aug 28 15:35 bpf2
crw-------  1 root wheel    23,  3 Aug 28 15:35 bpf3
c------r--  1 root wheel    11,  0 Aug 28 15:35 btreset
crw--w--w-  1 root wheel     0,  0 Aug 28 15:35 console
crw-rw-rw-  1 root wheel     1,  5 Aug 28 18:56 cu.bluetooth
crw-rw-rw-  1 root wheel     1,  7 Aug 28 15:35 cu.debug
crw-rw-rw-  1 root wheel     1,  1 Aug 28 15:35 cu.iap
crw-rw-rw-  1 root wheel     1,  3 Aug 28 15:35 cu.umts
brw-r-----  1 root operator 14,  0 Aug 28 15:35 disk0
brw-r-----  1 root operator 14,  1 Aug 28 15:35 disk0s1
brw-r-----  1 root operator 14,  2 Aug 28 15:35 disk0s2
crw-------  1 root wheel     9,  0 Aug 28 15:35 dlci.spi-baseband.0
crw-------  1 root wheel     9,  1 Aug 28 18:56 dlci.spi-baseband.1
crw-------  1 root wheel     9, 10 Aug 28 15:35 dlci.spi-baseband.10
crw-------  1 root wheel     9, 11 Aug 28 15:35 dlci.spi-baseband.11
crw-------  1 root wheel     9, 12 Aug 28 15:35 dlci.spi-baseband.12
crw-------  1 root wheel     9, 13 Aug 28 15:35 dlci.spi-baseband.13
crw-------  1 root wheel     9, 14 Aug 28 15:35 dlci.spi-baseband.14
crw-------  1 root wheel     9, 15 Aug 28 15:35 dlci.spi-baseband.15
crw-------  1 root wheel     9,  2 Aug 28 19:13 dlci.spi-baseband.2
crw-------  1 root wheel     9,  3 Aug 28 18:56 dlci.spi-baseband.3
crw-------  1 root wheel     9,  4 Aug 28 18:56 dlci.spi-baseband.4
crw-------  1 root wheel     9,  5 Aug 28 18:56 dlci.spi-baseband.5
crw-------  1 root wheel     9,  6 Aug 28 18:56 dlci.spi-baseband.6
crw-------  1 root wheel     9,  7 Aug 28 18:56 dlci.spi-baseband.7
crw-------  1 root wheel     9,  8 Aug 28 18:56 dlci.spi-baseband.8
crw-------  1 root wheel     9,  9 Aug 28 18:56 dlci.spi-baseband.9
crw-------  1 root wheel     6,  0 Aug 28 15:35 klog
cr--r--r--  1 root wheel    13,  3 Aug 28 15:35 mrvl868x0
crw-------  1 root wheel     9,  0 Aug 28 15:35 mux.spi-baseband
crw-rw-rw-  1 root wheel     3,  2 Aug 28 18:56 null
crw-rw-rw-  1 root tty      15,  1 Aug 28 19:13 ptmx
crw-rw-rw-  1 root wheel     5,  0 Aug 28 15:35 ptyp0
crw-rw-rw-  1 root wheel     5,  1 Aug 28 15:35 ptyp1
crw-rw-rw-  1 root wheel     5,  2 Aug 28 15:35 ptyp2
crw-rw-rw-  1 root wheel     5,  3 Aug 28 15:35 ptyp3
crw-rw-rw-  1 root wheel     5,  4 Aug 28 15:35 ptyp4
crw-rw-rw-  1 root wheel     5,  5 Aug 28 15:35 ptyp5
crw-rw-rw-  1 root wheel     5,  6 Aug 28 15:35 ptyp6
crw-rw-rw-  1 root wheel     5,  7 Aug 28 15:35 ptyp7
crw-rw-rw-  1 root wheel     8,  0 Aug 28 15:35 random
crw-r-----  1 root operator 14,  0 Aug 28 15:35 rdisk0
crw-r-----  1 root operator 14,  1 Aug 28 15:35 rdisk0s1
crw-r-----  1 root operator 14,  2 Aug 28 15:35 rdisk0s2
crw-rw-rw-  1 root wheel    20,  0 Aug 28 15:35 sha1_0
crw-rw-rw-  1 root wheel     2,  0 Aug 28 15:35 tty
crw-rw-rw-  1 root wheel     1,  4 Aug 28 15:35 tty.bluetooth
crw-rw-rw-  1 root wheel     1,  6 Aug 28 15:35 tty.debug
crw-rw-rw-  1 root wheel     1,  0 Aug 28 15:35 tty.iap
crw-rw-rw-  1 root wheel     1,  2 Aug 28 15:35 tty.umts
crw-rw-rw-  1 root wheel     4,  0 Aug 28 15:35 ttyp0
crw-rw-rw-  1 root wheel     4,  1 Aug 28 15:35 ttyp1
crw-rw-rw-  1 root wheel     4,  2 Aug 28 15:35 ttyp2
crw-rw-rw-  1 root wheel     4,  3 Aug 28 15:35 ttyp3
crw-rw-rw-  1 root wheel     4,  4 Aug 28 15:35 ttyp4
crw-rw-rw-  1 root wheel     4,  5 Aug 28 15:35 ttyp5
crw-rw-rw-  1 root wheel     4,  6 Aug 28 15:35 ttyp6
crw-rw-rw-  1 root wheel     4,  7 Aug 28 15:35 ttyp7
crw--w----  1 root tty      16,  0 Aug 28 19:13 ttys000
crw-rw-rw-  1 root wheel    10,  2 Aug 28 15:35 uart.bluetooth
crw-rw-rw-  1 root wheel    10,  3 Aug 28 15:35 uart.debug
crw-rw-rw-  1 root wheel    10,  0 Aug 28 15:35 uart.iap
crw-rw-rw-  1 root wheel    10,  1 Aug 28 15:35 uart.umts
crw-rw-rw-  1 root wheel     8,  1 Aug 28 15:35 urandom
brw-------  1 root operator  1,  0 Aug 28 15:35 vn0
brw-------  1 root operator  1,  1 Aug 28 15:35 vn1
crw-rw-rw-  1 root wheel     3,  3 Aug 28 15:35 zero

Block Devices

disk0 iPhone flash memory (4, 8 or 16GB)
disk0s1 OS partition. Stores / root file system.
disk0s2 User space. Stores Music, Photos, Videos, Podcasts, Ringtones and Apps. Mounted as /private/var.
disk1 Unless you previously mounted something on purpose, this is going to be the DeveloperDiskImage from XCode, which is uploaded to your device and mounted every time you plug in with XCode running. It is signature checked against /System/Library/Lockdown/iPhoneDebug.pem.
vn0 unknown
vn1 unknown

Interesting Character Devices

Dev Node Description Children
rdisk0 RAW Disk; to access the Flash rdisk0s1 (root) rdisk0s2 (data)
dlci.spi-baseband iPhone Baseband Radio dlci.spi-baseband.0 - dlci.spi-baseband.15
tty.iap serial connection (pins 12 and 13 of the Dock connector)
uart.umts Serial connection to the Utms radio (?)
dlci.spi-baseband.9 GPS device (read from by /usr/libexec/locationd82 for CoreLocation services)
mem Raw access to RAM (has been blocked since 1.1.2) Memory devices can be re-enabled with single WORD change within kernel. kmem, Raw access to Kernel Memory (also blocked since 1.1.2)
aes_0 Access to AES engine. Works via complicated ioctl handshake. Not known why it exists, as use of the IOKit interface is much simpler.

How to access /dev/mem and /dev/kmem

All you need to do is patch the kernel. See here for up to date patches according to the firmware revision that you are on. Basically, the last one patches the setup_kmem flag itself, and the others just patch the checks to it.